Escalating LinkedIn Scams and How to Avoid Them

In honour of National Scams Awareness Week, we are shining a light on one of the most prolific hunting ground for fraudsters, scammers, and even secret agents: LinkedIn.

Now, more so than ever, LinkedIn is prospering in this ‘business as unusual’ world we find ourselves in.  Whether living in lockdown or accustomed to heightened yet normalised virtual activity, LinkedIn engagement is growing exponentially – particularly in the areas of Talent Solutions (recruitment), LinkedIn Learning, and LinkedIn Live, its newest broadcast video streaming functionality.

More than a social media channel, LinkedIn is a thriving social network, a digitised business community, an opportunity marketplace, a news site, an online learning portal, and an advertising platform.  Each month, over 690 million users worldwide sign in to promote, search, find and share their information, ideas, news, and insights.  Connections are made and networks are formed, all with the ease of a simple few clicks.

So, with hundreds of millions of professionals turning to LinkedIn as a one-stop-shop for their professional aspirations, is it any surprise that LinkedIn has become a hotspot for cyber criminals seeking to exploit this captive community?  If you’re an active member, it’s time to get savvy on the (not so) good, the bad, and the ugly scams of LinkedIn.

The (Not So) Good – Fake Profiles and Connection Requests

The grassroots of LinkedIn are ‘connections’ – meeting and connecting with like-minded professionals, industry peers and business leads.  As expected, the most common scam is the illegitimate connection request whereby you receive an invitation email from a ‘professional’ of some sort to connect with.  The request can come in many forms – a “friend from the past”, someone you “met at a conference”, a respected senior player in a leading company, or even a romantic pursuit, and is normally backed up with a profile which appears authentic but is very much fake.  The intention of these requests is to gain your trust and send you malicious links that lead to viruses and malware being installed on your device.

To avoid falling victim to a fake connection request:

• Avoid accepting invitations from people you don’t know.
• Check out their profile for any suspicious activity or (mis)information e.g. stock image profile picture, no common or shared connections, odd company name and/or position title, work histories that don’t add up, memberships (or lack thereof) of LinkedIn groups.
• If in doubt, select ‘Ignore’!

The Bad: Fake Job Offers

Another leading drawcard for LinkedIn beyond building a professional network is the opportunity to advance your career.  Whether we admit it or not, we all want to be headhunted for our ideal role. Scammers know this and they prey on this vulnerability through fake job offers.  There are a few ways that scammers target their victims using this tactic:

1. This time, the illegitimate request is from a “recruiter” who contacts you via a private message or InMail to make an offer that sounds genuine. They may use information from real companies and recruitment agencies, engage in chit chat to build trust, and are likely to offer a salary that is above the market rate to lure you in.
2. The fraudster posts a job ad, this time using a fake company or agency name. The job ad looks incredibly attractive with thousands of ‘views’ (from bots that is).
3. Phishers use their tried and tested method of choice – a fake LinkedIn email advising you “appeared in X searches this week” with a button to ‘See All Searches’, enticing you to see who’s looking at your profile and where your potential next job offer could be coming from.

The nefarious intention of fake job offers is two-fold.  Malicious links once again install malware, ransomware, and viruses onto your device, and/or, you are roused into providing personally identifiable information (PII).  Both can be expensive consequences, with the potential of both financial and identity theft.

To avoid falling victim, look out for these tell-tale traits of fake job ads and recruiters:

• Fake company or agency name – if you’ve never heard of it, Google it – and then dig deeper just in case
• No contact email or phone number – if the only way to respond is via private LinkedIn mail or via comment, either it’s fake or the recruiter doesn’t know how to do their job
• Strange email address – if there is an email to contact, but it’s not for the company advertising (especially if it’s a free service like @live.com) be very cautious
• The role doesn’t match the company – a financial services company looking for a chef just doesn’t sound right
• The ad doesn’t specify the skills or experience required for the role
• You’re asked to provide PII and financial information
• The recruiter is overzealous to seal the deal and offers you the job without an interview or background check.

The Ugly: Cyber Espionage

Building on illegitimate connection requests and fake head-hunters, foreign agents up the ante when it comes to LinkedIn deception.  Earlier this year in a US court, Dickson Yeo pleaded guilty to spying for China’s intelligence service using LinkedIn.  Yeo, posing as a political risk analyst, spun up a bogus consultancy firm and posted fake job ads that attracted over 400 applicants including US military and government employees.  His objective was to advance China’s espionage efforts by harvesting personal and security clearance details of US intelligence officials.

Yeo’s story is by no means an isolated case.  A New York Times article from August 2019, How China Uses LinkedIn to Recruit Spies Abroad, shows how commonplace it is for foreign governments to use social media to target their victims.  It would be naïve to think China is the only country using LinkedIn in this way; every single country has national security concerns and dabbles in espionage and counterespionage, so the lessons learned from these accounts should serve as a warning of tactics and techniques rather than a warning against China. Nevertheless, the New York Time article does claim LinkedIn is the most leveraged social media site by the intelligence community, and “Chinese spies are the most active.”

Most of us think we wouldn’t fall for this kind of attack – or even be the type of person being targeted.  However, espionage is a long and slow game, with relationships formed over many months and years, so many of us with large LinkedIn networks may already have unwittingly connected to an overseas operative. The problem is, their reasons for connecting are often very real and since they know what you are posting and have seen who you are connected to and where you work, they know which buttons to push. Sometimes they pretext as recruiters, working as a specialist within the industry you are an expert in. They might claim to work for a consulting organisation, and in some cases, they have set up fake companies, websites, email addresses, and even fake supporting social media accounts, like Facebook and Twitter, so they come across as legitimate and believable.

Scams on the Rise

This year alone, the ACCC’s Scamwatch has recorded over 24,000 reports of loss or stolen personal information, representing more than $22 million and a 55 percent increase compared to the same period last year.  People aged between 25 and 34 years are the biggest and most successful targets.

With more of us working and socialising online, cyber criminals are making hay while the sun shines – except that we’re unlikely to regress from our digital lives at any point now or in the future.  Therefore, it’s our responsibility to increase our cyber wits and ensure we keep our online profiles safe.

LinkedIn has some good advice about locking down your security and privacy settings, so that’s a good place to start. Details can be found here.

1. Don’t overshare. A few misplaced facts about yourself or your company could reveal a hook that attackers can exploit.
2. Keep your contact details private. LinkedIn provides an internal messaging system, so there is no need to include personal or business email addresses or phone numbers.
3. Don’t accept every connection request. If you don’t know someone, why connect to them? Sometimes it makes sense to connect to new people, but caution remains the best policy.
4. Accounts get hijacked. If you receive an unusual request from someone you are connected to, their account may already be compromised. Try verifying the request via a different communication channel (phone, email, etc.).
5. Clean up your connections. Housekeeping is the best way of keeping your network clean and safe from intruders. If you have many connections gathered over a long career, it’s impossible to gauge their safety after ten years of not speaking with them. If in doubt, delete them.

Written by: Tara Gindein